There is an ebb and flow to cybersecurity. Black Hats find a vulnerability, White Hats find a patch, and businesses are left in the middle in a constant state of risk.
Attacks are getting more common and more sophisticated. Ransomware attacks alone occur every 40 seconds and ransomwares like Ryuk and Maze show increasing complexity in being able to target the most crucial parts of a network. The impact on businesses is staggering. Business losses attributed to cybercrime totaled more than $2 trillion in 2019, according to a recent report from Juniper Research. This does not include the negative effects an incident can have on a company’s reputation and future financial success.
Even if you have taken all the right steps to secure your data, it is very likely that at some point you will be breached and will need to know what to do afterwards. So, in the event of a data breach, what steps can you take to ensure business resilience and continuity?
The choices you make when an attack happens are critical. They can either mitigate the damage or make it worse.
Nevertheless, many companies are unprepared. Even those that have built robust defenses miss an important step: a comprehensive response plan that will guide them in the event of a breach. About 77% of security and IT professionals do not have an enterprise-wide cybersecurity response plan, according to the 2020 Cost of a Data Breach Study from IBM.
Having a plan in place can limit the financial, legal and reputational impact of a data breach.
Put Together a Response Team
A data breach demands a comprehensive response. Knowing who will be part of your response team and assigning their primary tasks ahead of time will help you quickly take appropriate action. The team should be enterprise-wide and include key members of the executive team and board of directors, the head of IT, security experts, as well as representatives from your legal, communications and HR departments.
It is important to remember that it is not just your company’s data that has been compromised. Employees need to know what risk they are at and what they need to do. Vendors and clients who were impacted need to be informed.
Having a comprehensive team in place will help create a multifaceted plan that addresses all the issues a data breach may create.
Identify the Source and Spread
In the aftermath of an incident, you do not want to take any steps that might spread the problem inadvertently. Keep focus on identifying the source of the attack and isolate the affected servers and systems. Infected machines should be analyzed to determine if a full operating system restore is required or if they can be cleaned using anti-ransomware software. As ransomwares like Ryuk evolve, creating a hierarchy of attack on a network, this isolation becomes even more crucial. This latest generation of attacks can be more effective, faster, and spread wider than those of the past. Ensuring your team is educated and updated on the latest variants will help them to know where to start looking once a breach occurs.
Think Before You Act
If a ransomware attack happens and employees find themselves locked out of their data, the gut reaction may be to reload from backed-up files. That is what they are there for after all. There is a good chance, however, that these files have also been targeted by the attack, leaving them encrypted, unrecoverable or also infected. Always train employees to scan backup files before attempting a recovery.
Digital storage systems that enable point-in-time recovery can be invaluable in reducing downtime from a ransomware attack that manages to encrypt data and backup files. These systems enable security and IT teams to roll back to a restore point before the infection, which should recover the bulk of the data in a single step.
Since these systems track changes at the block level, they are able to recover quickly. Back-ups of the most critical files and data should be kept in air-gapped storage systems. This ensures that at least one copy of the data is always housed on servers that are isolated from the network and will remain unaffected by an attack.
Don’t Cover It Up
When it comes to data breaches of any kind, from a DDoS attack to malware, there can be a perceived negative stigma. There may be fears that the breach will make your company look careless and undermine the trust of clients and partners. There may be an impulse toward keeping quiet. After all, if no one knows about it, it didn’t really happen.
The truth is these sorts of attacks are common. A breach is not a sign of corporate weakness, it is an unfortunate reality of existing in the digital age. The worst thing you could do after a breach is to keep it quiet.
In many cases, your company has a legal duty to notify law enforcement or privacy regulators. Every attack needs to be understood so as to give White Hats a chance to bring equilibrium to that ebb and flow of vulnerability.
Reporting is the first thing you can do to protect your organization from a subsequent attack.
In addition, a common mistake is to shut off machines after an attack. Don’t do so before experts have examined them, or you may hinder the investigation. Begin by notifying your local police department and filing an official complaint. If they lack experience investigating data breaches, contact the FBI Internet Crime Complaint Center, as well as the U.S. Computer Emergency Readiness Team, which is part of the Department of Homeland Security. If sensitive data about customers has been compromised, you’ll also need to file a report with the Federal Trade Commission.
Additionally you will need to work with your legal, HR, and customer support teams to let all affected parties know of the breach, what you are doing to protect them, and what they should do. While fear of response may make you want to keep the breach a secret, the damage you could potentially cause by doing so will out-shadow the damage from being transparent.
Protect Your Network from Another Attack
In the aftermath of a breach, your company’s leadership will be focused on cybersecurity. That presents an opportunity for a wide-ranging evaluation of your current security practices, procedures and tools. Don’t waste it.
Look beyond determining simply what failed in this instance and what fix needs to be applied to also consider vulnerabilities across the entire company. Are employees being properly trained in how to identify potential instances of phishing? Is your BYOD policy up-to-date with current technologies? Is it being actively enforced? Are passwords being regularly changed? Are technologies such as two-step verification and off-site data backup being used?
Identify all the vulnerabilities in your network and human components of your company. Deploy security software, hardware and protocols to address these issues.
The best defense against a future attack is a layered approach that includes endpoint protection, firewalls, antivirus and anti-ransomware software. A hacker’s favorite route to your data is through employees, so recommit to training staff and keeping them up-to-date on the latest schemes and tactics being used to trick them into opening an email or clicking on a link.
Even companies that have taken every measure to protect themselves can experience a data breach. The steps you take once a breach happens can mean the difference between a quick recovery that diminishes damage or a spiraling crisis.